Wednesday, November 30, 2016

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB, is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au". ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules. All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live.

Subject: Please Settle Credit Arrears ShortlyDear Client!Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.The file can be found here: hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]phpSincerely Yours,Bank of AmericaCustomer Relations Department.

hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

1d57eba1cb761b99ffcf6bc8e1273e9c instructions.doc

711881576383fbfeaaf90b1d6c24fce0 instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.

To decrypt the files you should send the following code:

xxxxxxxxxxxxxxxxxxxxx

to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .

Then you will receive all necessary instructions.

All the attempts of decryption by yourself will result only in irrevocable loss of your data.

If you still want to try to decrypt them by yourself please make a backup at first because

the decryption will become impossible in case of any changes inside the files.

If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),

use the feedback form. You can do it by two ways:

1) Download Tor Browser from here:

https://www.torproject.org/download/download-easy.html.en

Install it and type the following address into the address bar:

http://cryptsen7fo43rr6.onion/

Press Enter and then the page with feedback form will be loaded.

2) Go to the one of the following addresses in any browser:

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:

hxxp://ipieceofcake[dot]com/wp-content/uploads/2016/04/gate[dot]php

When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'.

Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com

Subject - We are hiring new employees to our office - kia01915@aol[dot]com

Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com

Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.

To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware.

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows?